Posts

Zero Day Discovery and Infosec Success Celebrations

Image
With the world in quarantine and isolation because of COVID-19, I decided to publish a blog post reminding us of more cheerful times.

Take yourself back to the last time you spent weeks hammering away at a seemingly impossible challenge, and quickly fast-forward to when you finished that problem.

Do you remember your intense excitement and satisfaction? How did you celebrate your success?
I asked security researchers how they celebrate finding 0days, APTs in the wild, new malware, and other big successes.  Here are the results. Thomas Roth @StackSmashingFounder of leveldown, co-founder of keylabsio
"I once had a celebratory cake for an 0day" "otherwise I tend to [celebrate] with a nice beer in the evening :)"
Ashley Shen @ashley_shen_920Security Engineer at Google Threat Analysis Group
"I usually celebrate with picking a restaurant from my do-eat list and have a good meal with friends :)"
Yahav Azran @Yahav_AzranIndependent Security Vulnerability Resear…

Integer Overflow Reference: Min & Max Values

Image
A reference for when working with integers, and looking for integer overflows and underflows.

When an integer type, such as an int or unsigned short, overflows (the variable is given a value greater than the maximum value it can hold), the integer "wraps around" and becomes the minimum value the type can store.
Similarly, when an integer type underflows (the variable is given a value smaller than the maximum value it can hold), the integer "wraps around" and becomes the maximum value the type can store.

Use the chart below to find the minimum and maximum values each type can hold.
Size Chart
TypeSize In BytesMinimum ValueMaximum Valuechar1 byte-128+127unsigned char1 byte0+255short2 bytes-32,768+32,767unsigned short2 bytes0+65,535int4 bytes-2,147,483,648+2,147,483,647long4 bytes-2,147,483,648+2,147,483,647unsigned int4 bytes0+4,294,967,295unsigned long4 bytes0+4,294,967,295long long8 bytes-9,223,372,036,854,775,808+9,223,372,036,854,775,807unsigned long long8 bytes0…

Bash LS Coloring Internals: How Does `ls` Know Which Colors To Use?

Image
Many of us take for granted ls's convenient display, and probably didn't ever stop to consider how it even knows which colors to use for which files. This very question sparked my curiosity and lead me to researching the internals of this mechanism.

While ls is open source and you can read its code to understand the underlying logic, I decided not to do so as I wanted to take a black box approach.

tl;dr at end of post
How Does ls Identify File Types? Do File Contents Matter? I engineered two simple test to check if ls takes into account a file's content when it chooses its color:

I created empty files each with a different extension and ran ls to see which colors it selected for the filesI exchanged the contents of an image and executable and ran ls to see which colors it selected for the files The first experiment showed that ls uses the filename's extension to select a color when the file is empty.

The second experiment further showed that ls depends on files' nam…

CVE-2019-17421 Privilege Escalation Vulnerability In Zoho's OpManager & Firewall Analyzer

Image
Target ๐ŸŽฏ Vendor ๐Ÿญ
ManageEngine which is a division in Zoho Corp. creates IT management software and tools. The company is a major player in IT management with over 90 tools, and 3 million users served in over 190 countries.
Products ๐Ÿ’ฟ Two of ManageEngine's popular products are it's network firewall analyzer and network monitoring software respectively named ManageEngine Firewall Analyzer and ManageEngine OpManager. Vulnerability CVE-2019-17421 affects both (and possibly more) of these products.
Vulnerability ⚡ After I set these programs as my research targets, I installed their free trial version, and began mapping out the attack surface. The first thing I noticed is that the program runs as root. This is great for our purposes as this means any local vulnerability will lead to LPE (Local Privilege Escalation). To achieve my goal of finding a security bug, I am no longer limited to only the remotely accessible attack surface.

Next, I found the program defaultly installs it…

Stack Overflow CVE-2019-17424 Vulnerability Write-Up and RCE Exploit Walk Through

Image
Stack Overflow CVE-2019-17424 Vulnerability Write-Up and RCE Exploit Walk Through This is Part 2 in a 4 part series about my process hunting for vulnerabilities in a network auditing tool (used to protect networks by detecting and fixing security holes), and fully exploiting one of the vulnerabilities I found. I recommend reading the series in ascending numeric order. Link to part 1 here. Links to parts 3, and 4 at the end of this post.

This post describes how I found CVE-2019-17424 and successfully exploited the vulnerability in the precompiled, packaged product.
Vulnerability ⚡ Reader’s Exercise ๐Ÿ”Ž I found CVE-2019-17424 by manually reviewing the source code of nipper-ng. Provided below is an excerpt from the source code containing only the vulnerable function. You are welcome to take it as an exercise to find the vulnerability in the code below:

Notice: The vulnerability in the code above is identified in the paragraph below. If you want to try to find the vulnerability yourself, o…

Attacking The Network's Security Core - Hunting For Vulnerabilities In A Network Security Tool

Image
A network can only be as secure as the tools used to secure it Overview This is Part 1 in a 4 part series about my process hunting for vulnerabilities in a network auditing tool (used to protect networks by detecting and fixing security holes) and fully exploiting one of the vulnerabilities I found. I recommend reading the series in ascending numeric order. Links to parts 2, 3, and 4 at the end of this post.
Target ๐ŸŽฏI decided to look for (and successfully found) vulnerabilities in network security tool, as a vulnerability in such a tool could allow attackers to hide themselves in an otherwise secure network, or even be exploited for lateral movement.

One such network security tool that came to mind is Nipper-ng, a firewall security auditing tool and firewall configuration parser. In addition to being a security product itself, Nipper-ng is used behind the scenes in other security products such as ManageEngine's OpManager and Firewall Analyzer. The tool is also included in all i…

Simplest Fibonacci Assembly Code

Image
Tl;Dr There is an insanely cool, simple and elegant way to calculate Fibonacci numbers in assembly using only 2 opcodes!

Full disclosure: this post is inspired by chapter two of the book "xchg rax, rax".
Fibonacci Numbers Just a simple review: Fibonacci Numbers are calculated with the formula below.


So for example to get the 3'rd Fibonacci number, we need to sum the 2nd and 1st Fibonacci numbers.
The Code ๐Ÿ‘จ‍๐Ÿ’ป๐Ÿ‘ฉ‍๐Ÿ’ป Behold! Below is the most elegant code you will ever see for in assembly


Source available here.
Explanation๐Ÿง  The magic happens in the XADD opcode which is an "xchg (exchange)" and "add"  operation in one opcode. It works exactly as you would expect: first exchange the two operands, and then add them saving the result to the first operand. Official Intel documentation here.

Next, the "loop" opcode changes the code flow to jump back and re-execute the xadd opcode multiple times.
Understanding ✔ To completely understand why and ho…